On 25 October 2022, the Central Bank of Nigeria (CBN) released the Exposure Draft Guidelines on Contactless Payments in Nigeria (the Guidelines). The Guidelines were released by CBN in line with its mandate to ensure the safety and stability of the financial systems in Nigeria and promote a resilient and stable payments system.
This article provides an insight into the provisions of the Guidelines.
What is Contactless Payment?
According to the Guidelines, contactless payment is a payment system that involves the use of contactless technology that enables an alternative payments method whereby payment instruments such as pre-paid, debit and credit cards, stickers, fobs, wearable devices, tokens and mobile electronic devices are used without physical contact with devices.
Aims of the Guidelines
The guidelines aim to provide the minimum standards and requirements for the operations of contactless payments in Nigeria, and also specify the roles and responsibilities of the stakeholders involved in contactless payments in Nigeria.
Who are the Participating Stakeholders?
The participating stakeholders in contactless payments in Nigeria are:
- Payment Schemes
- Card Schemes
- Switching Companies
- Payments Terminal Service Providers (PTSPs)
- Payments Terminal Service Aggregator (PTSA)
- Terminal Owners
- Any other stakeholder/participant(s) as may be designated by the CBN.
The stakeholders are required to obtain CBN’s approval for contactless payments products and for innovative use cases and value-added services.
Minimum Standards for Contactless Payments in Nigeria
The participating stakeholders that process and/or store customers’ information are obliged to ensure that their terminals, applications and processing systems comply with the below standards at the minimum:
- PA DSS – Payment Application Data Security Standard
- PCI PED – Payment Card Industry Pin Entry Device
- PCI DSS – Payment Card Industry Data Security Standard
- Triple DES – Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party. The Triple DES algorithm is the minimum standard.
- AES – Advanced Encryption Standards
- EMV – the deployed infrastructure must comply with the minimum EMV requirements for Contactless acceptance
- ISO27001 – Information Security Management System
- Other standards as may be specified by CBN from time to time.
Each participating stakeholder (operator) is mandatorily required to maintain valid certification to the above standards and regularly review the status of its systems, applications, networks and devices, to ensure they remain compliant.
Roles and Responsibilities of Stakeholders
The Guidelines provide for the separate roles and responsibilities of the stakeholders as follows:
Some of the roles and responsibilities of acquirers with respect to contactless payments in Nigeria include:
- Only CBN licensed institutions can serve as acquirers for contactless payments.
- Acquirers shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments.
- Acquirers shall execute contactless payments agreements with parties for utilizing contactless platforms for payments.
- Acquirers shall be able to accept all cards or payments instruments used in Nigeria.
Some of the roles and responsibilities of Issuers with respect to contactless payments in Nigeria include:
- Only CBN licensed institutions shall serve as Issuers for contactless payments.
- Issuers shall ensure that activation of contactless payment is at customer’s instance, and with full consent.
- Issuers shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments.
- Issuers shall activate only accounts and wallets with Bank Verification Number (BVN).
- Issuers shall ensure that transaction limits are strictly adhered to.
Payment Schemes and Card Schemes
Payment Schemes and Card schemes have the same roles and responsibilities with respect to contactless payments in Nigeria. These roles and responsibilities include:
- Ensuring that all contactless transactions are processed online or submitted via current processing specifications.
- Implement a documented risk management process to identify and treat risks associated with contactless payments.
Switching companies have the responsibility of ensuring that contactless transactions consummated by all payment instruments issued in Nigeria are successfully switched between acquirers and issuers.
Payment Terminal Service Providers (PTSPs)
Some of the roles and responsibilities of PTSPs with respect to contactless payments in Nigeria include:
- Ensuring that all their terminals for contactless payments are functional at all times.
- Ensure they have adequate support infrastructure that support coverage for merchants.
- Ensure all deployed devices and terminals have support service contact information.
- Prevent instrument clashes even when multiple contactless payments devices are present.
Payment Terminal Service Aggregator (PTSA)
The PTSA shall, on an annual basis, or more frequently, certify POS terminals for contactless payments to ensure POS terminals meet the approved standard for the industry and also put in place a risk management process.
Some of the roles and responsibilities of merchants with respect to contactless payments in Nigeria include:
- Ensuring that deployed devices and applications are available for contactless payments of goods and services.
- Merchants shall be held liable for fraudulent contactless payments arising from negligence/connivance.
- Contactless payment transaction value and associated charges shall be clearly communicated to the customer prior to consummation of the transaction.
- Display the contactless symbol
Terminal owners are to ensure that all terminals and devices are compliant with appropriate minimum specifications and also ensure the implementation of a documented risk management process.
Customers have the option to opt-in by applying and consenting to applicable terms and conditions and can withdraw without prior notice to the issuer. Customers are also obliged to authenticate contactless payments transaction as may be required, exercise due diligence in carrying out contactless payments transactions and protect their payments instruments from unauthorized use.
The CBN is to determine the appropriate transaction and cumulative daily limits for contactless payments from time to time. However, stakeholders are permitted to set limits in line with CBN’s limits.
Contactless payment transactions below stipulated daily limits may not require customers’ authorization such as token, biometrics, pin, etc. while higher-value contactless payments shall require customer verification such as pin, mobile code, biometric, etc.
Sanctions and Penalties
Stakeholders are required to comply with the provisions of the Guidelines and other relevant regulations of the CBN. Failure to comply attract appropriate sanctions and penalties as may be determined by the CBN.
The Exposure Guidelines provides a regulatory framework for the activities and conduct of affairs of the stakeholders in the contactless payments system in Nigeria. When the Guidelines become operational, all stakeholders will be required to conduct their affairs and carry out their roles in accordance with the minimum set standards under the Guidelines.
Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.
For further information or to see our other service offerings, please visit www.goldsmithsllp.com or contact: